Fraud investigators say at least 10% of QR codes attached to online orders, restaurant tabletops and public posters are scams, as Chinese state-sponsored hackers increasingly target financial information stored on smartphones.

The fake codes have proliferated since 2022 and today steal $75 billion a year from consumers, according to the LexisNexis Risk Solutions’ Government Group, which works with federal agencies to combat the schemes.

“It’s one thing when they steal your credit card. It’s completely different when they get access to your debit card through your phone,” Haywood Talcove, CEO of government for LexisNexis Risk Solutions, told The Washington Times. “There’s no way of recovering that.”

Mr. Talcove said the only way Americans can protect themselves is to not scan QR codes unless they are certain a code is legit or use a second phone without sensitive information stored on it.

Once scanned, a fake QR code can intercept a restaurant meal payment or install malware that locks the phone and retrieves financial details stored on it. Before the victims can reset and wipe a device, thieves have read emails and emptied bank accounts.

“I wouldn’t scan a QR code because it’s impossible to tell good from bad and you don’t know until it’s too late,” Mr. Talcove said. “My entire life is on my phone. I’d rather lose my wallet.”

The International Association of Financial Crimes Investigators, a California-based nonprofit, calls the fake codes “quishing scams.”

“They can be placed on parking meters and trick the victim into inputting the card information on a nefarious website, or sitting in a restaurant where you can pay by QR code,” said Mark D. Solomon, a vice president of the association. “You point your camera at the payment QR to learn that a fraudster put a fraudulent QR code over the original.”

Mr. Solomon said bulletin boards, drive-thru windows and businesses are other popular spots for fake codes.

A newer variation involves international fraudsters mailing low-cost, lightweight items such as ping pong balls, postcards, face masks or seeds to online shoppers as an apparent giveaway or customer loyalty perk.

Complaints to the Better Business Bureau Scam Tracker show a surge in recent months of unsolicited packages arriving with instructions to scan a code to find out who sent them or how to initiate a return. The codes can lead to phishing websites or download malware that charges customers a recurring fee, creating access to their bank accounts.

In one Feb. 28 report to BBB Scam Tracker, a customer received an unmarked package that looked as if it came from Amazon. He said it was addressed to his home address and included items he “would have never ordered” such as “baby burping clothes” and two eye makeup products.

“There are QR codes on the outside of the box and on the products, which I did not attempt to scan,” the customer said.

The BBB, a nonprofit consumer protection agency, called the scams “a serious problem for victims.”

The U.S. Postal Inspection Service and authorities in Oklahoma, Utah, Colorado have also flagged the issue in recent months.

In more benign cases, fake QR codes install software that floods a phone with spam and posts fake product reviews under the victim’s name.

“I’ve personally seen a small bamboo cutting board, a small bag of plaster, and more,” said Mike Martel, a postal inspector and spokesman at the U.S. Postal Inspection Service, which investigates mail crimes. “The goal is to boost sales through embellished reviews. If that is achieved, the increase in purchases could outweigh the cost of the unsolicited item.”

According to Rob Shavell, CEO and co-founder of the cybersecurity firm DeleteMe, it’s relatively easy for fraudsters to find or buy people’s names and home addresses on the internet. He said the scams are likely to grow as Artificial Intelligence makes their task easier.

“Scammers place orders for their own products under the names and addresses of real people, which are often easy to obtain through public records or data broker sites,” said Mr. Shavell, whose Boston-based firm “scrubs” the personal information companies sell to online data brokers. “While we haven’t been able to get exact numbers, we can say that there has been a significant increase in reporting on these types of scams in 2024 and since the start of this year compared to 2023.”

Brushing scams

Fraud experts say Chinese criminals launched the first “brushing” scams — referencing the idea of “brushing up” a retailer’s reputation with fake reviews and orders — in 2015 as more Americans began shopping online.

The practice originally consisted of slapping malicious QR codes onto U.S.-bound products, with the intent of making suspicious sellers of counterfeit or subpar products look like reputable merchants.

As COVID waned in 2022, investigators say Chinese hackers turned their attention from stealing unemployment insurance and U.S. government stimulus checks to upgrading the malicious QR codes. More recent codes solicit direct payments or take over victims’ phones completely.

The U.S. Postal Inspection Service recommends that people who receive unwanted packages monitor their finances for signs of compromised information and change their passwords for online retailers such as eBay, Amazon and Etsy. They can return, toss or keep the items but should never scan the QR codes.

Victims should also report fake codes to the retailer, the Federal Trade Commission and the Postal Inspection Service for any mailed items.

An Amazon spokesperson said the online retailer prohibits unsolicited deliveries and acts swiftly to suspend and report third-party sellers who violate the policy.

“If you confirm that the package addressed to you wasn’t ordered by you or anyone you know, report the package online by going to the Report Unwanted Package form,” Amazon said in an email. “Amazon investigates reports of ‘brushing’ and takes action on bad actors that violate our policies, including suspending or removing selling privileges, withholding payments, and working with law enforcement.”

According to digital safety experts, consumers who have trouble resisting digital codes should avoid storing payment information on their smartphones.

Angelica Gianchandani, a marketing instructor at New York University, said phony QR codes play on people’s natural excitement at receiving freebies, especially during the holidays.

“Scammers are exploiting that enthusiasm,” Ms. Gianchandani said. “Don’t scan the code. Report it to the retailer and monitor your accounts for suspicious activity.”